An analysis of the impact of Europe’s new data protection framework, GDPR, on the adtech industry suggests the regulation has reduced the numbers of ad trackers that websites are hooking into EU visitors.

But it also implies that Google may have slightly increased its marketshare in the region — indicating the adtech giant could be winning at the compliance game at the expense of smaller advertising entities which the study also shows losing reach.

The research was carried out by the joint data privacy team of the anti-tracking browser Cliqz and the tracker blocker tool Ghostery (which merged via acquisition two years ago), using data from a service they jointly run, called WhoTracks.me — which they say is intended to provide greater transparency on the tracker market. (And therefore to encourage people to make use of their tracker blocker tools.)

A tale of two differently regulated regions

For the GDPR analysis, the team compared the prevalence of trackers one month before and one month after the introduction of the regulation, looking at the top 2,000 domains visited by EU or US residents.

On the tracker numbers front, they found that the average number of trackers per page dropped by almost 4% for EU web users from April to July.

Whereas the opposite was true in the US, with the average number of trackers per page rose by more than 8 percent over the same period.

In Europe, they found that the reduction in trackers was nearly universal across website types, with adult sites showing almost no change and only banking sites actually increasing their use of trackers.

In the US, the reverse was again true — with banking sites the only category to reduce tracker numbers over the analyzed period.

“The effects of the GDPR on the tracker landscape in Europe can be observed across all website categories. The reduction seems more prevalent among categories of sites with a lot of trackers,” they write, discussing the findings in a blog post. “Most trackers per page are still located on news websites: On average, they embed 12.4 trackers. Compared to April, however, this represents a decline of 7.5%.

“On ecommerce sites, the average number of trackers decreased by 6.9% to 9.5 per page. For recreation websites, the decrease is 6.7%, which corresponds to 10.7 trackers per page. A similar trend is observed for almost all other website categories. The only exception are banking sites, on which 7.4% more trackers were active in July than in April. However, the average number of trackers per page is only 2.6.”

Shifting marketshare

In the blog post they also argue that their snapshot comparison of tracker prevalence of April 2018 against July 2018 reveals “a clear picture” of GDPR’s impact on adtech marketshare — with “especially” smaller advertising trackers having “significantly” lost reach (which they are using as a proxy for marketshare).

In their analysis they found smaller tracker players lost between 18% and 31% reach/marketshare when comparing April (pre-GDPR) and July (post-GDPR).

Whereas adtech market leader Google was able to slightly increase its reach — by almost 1%.

Summing up their findings, Cliqz and Ghostery write: “For users this means that while the number of trackers asking for access to their data is decreasing, a tiny few (including Google) are getting even more of their data.”

The latter finding lends some weight to the argument that regulation can reinforce dominant players at the expense of smaller entities by further concentrating power — because big companies have greater resources to tackle compliance.

Although the data here is just a one-month snapshot. And the additional bump in marketshare being suggested for Google is not a huge one — whereas a nearly 7% drop in marketshare for Facebook is a more substantial impact.

Cliqz shared their findings with TechCrunch ahead of publication and we put several questions to them about the analysis, including whether or not the subsequent months (August, September) indicated this snapshot is a trend, i.e. whether or not Google sustained the additional marketshare.

However the company had not responded to our questions ahead of publication.

In the blog post Cliqz and Ghostery speculate that the larger adtech players might be winning (relatively speaking) the compliance game at the expense of smaller players because website owners are preferring to ‘play it safe’ and drop smaller entities vs big known platforms.

In the case of Google, they also flag up reports that suggest it has used its dominance of the adtech market to “encourage publishers to reduce the number of ad tech vendors and thus the number of trackers on their sites” — via a consent gathering tool that restricts the number of supply chain partners a publisher can share consent with to 12 vendors.

They also point to the use of manipulative UX design (aka dark patterns) that are used to “nudge users towards particular choices and actions that may be against their own interests”, suggesting these essentially deliberately confusing consent flows have been successfully tricking users into clicking and accepting “any kind of data collection” just to get rid of cryptic choices they’re being asked to understand.

Given Google’s dominance of digital ad spending in Europe it stands to gain the most from websites’ use of manipulative consent flows.

However GDPR requires consent to be informed and freely given, not baffling and manipulative. So regulators should (hopefully) be getting a handle on any such transgressions and transgressors soon.

The continued existence of nightmarishly confused and convoluted consent flows is another complaint we’ve also heard before — much and often. (And one we have ourselves, frankly.)

Overall, according to the European Data Protection Board, a total of more than 42,000 complaints have been lodged so far with regulators, just four months into GDPR.

And just last week Europe’s data protection supervisor, Giovanni Buttarelli, told us to expect the first GDPR enforcement actions before the end of the year. So lots of EU consumers will already be warming up the popcorn.

But Cliqz and Ghostery argue that disingenuous attempts to manipulate consent might need additional regulatory tweaks to be beaten back — calling in their blog post for regulations to enforce machine-readable standards to help iron away flakey flows.

“The next opportunity for that would be the ePrivacy regulation,” they suggest, referencing the second big privacy rules update Europe is (still) working on. “It would be desirable, for example, if ePrivacy required that the privacy policies of websites, information on the type and scope of data collection by third parties, details of the Data Protection Officer and reports on data incidents must be machine-readable.

“This would increase transparency and create a market for privacy and compliance where industry players keep each other in check.”

It would also, of course, provide another opportunity for pro-privacy tools to make themselves even more useful to consumers.